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DETAILED ACTION 

1. This action is in response to arguments or remarks filed on November 07, 2005. 
Claims are 1 - 12 and 21 - 36 are pending. 

Response to Arguments 

2. Applicant's arguments filed on November 07, 2005, have been fully considered 
but they are not persuasive for the following reasons: 

3. Regarding the rejection of Claims 1 - 12 and 21 - 36 under 35 USC 112, first 
paragraph, Applicant directs to instant specification pages 3, 5, 6 and 7 stating, 
"application servers 14 are coupled with the user computers 12 via the communications 
network 22 and are provided for running applications on behalf of the user computers", 
"user first launches some application or program in a conventional manner" and "user 
next logs into the selected authorization server 16 using account or ID information", 
"when the user attempts to access other applications ... while he or she is still logged 
into the system, these other applications may reference the Session ID ... for 
authorization purposes related to the new applications". Examiner agrees with the 
Applicant that above stated facts are disclosed in the instant application specification. 
Applicant further states, "Thus, the specification teaches a plurality of separately 
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secured remote applications". Examiner maintains that instant specification does not 
disclose "a plurality of separately-secured remote applications" as clearly detailed by the 
applicant's own citations from the instant specification, and restates that there is no 
disclosure for "a plurality of separately-secured remote applications" anywhere in the 
instant specification. Accordingly, the rejection for the pending claims 1-12 and 21 - 
36 is respectfully maintained. 

4. Applicant directs to instant specification page 6 stating, "The authorization server 
16 then copies or links the Session ID or some derivative thereof to something on the 
user's computer 12 such as a cookie, shared application memory, or the computer's 
network address. It is important only that other applications launched by the user from 
the user computer be able to read or otherwise determine this Session ID by accessing 
something on the user's computer". Examiner agrees with the Applicant that above 
stated facts are disclosed in the instant application specification. Applicant further 
states, "One skilled in the art would reasonable understand that in the act of linking the 
Session ID to something on the user's computer, a link which may have the form of a 
cookie is created and stored. Once created, other applications may read (retrieve) it". 
Examiner maintains that instant specification does not disclose "storing a link or 
retrieving the link" as clearly detailed by the applicant's own citations from the instant 
specification. Instant application specification discloses "The authorization server copies 
or links the Session ID or some other derivative (such as a cookie, shared memory or 
the computer's network). Instant application specification further discloses, "The 
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authorization server 16 also creates an object representing the user or the Session ID 
and stores it in the directory 20 after log-in (see instant application specification page 6 
lines 26 - 31). Thus the specification discloses copying the Session ID, creating and 
storing the Session ID in the directory. Examiner maintains that there is no disclosure 
for "storing a link or retrieving the link" anywhere in the instant specification. 
Accordingly, the rejection for the pending claims 1-12 and 21 - 36 is respectfully 
maintained. 

The dependent claims 2 - 12, 21 - 26, 28 - 30 and 33 - 36 are rejected at least 
by virtue of their dependency on the dependent claims. 

5. Applicant agrees with the Examiner that the cited prior arts [Alegre U.S. Patent 
6,199,113, hereafter "Alegre", Hartman et al. U.S. Patent 5,960,411, hereafter 
"Hartman" and Blanco et al. U.S. Patent 6,539,482, hereafter "Blanco"], disclose creates 
a session key that is stored at a client browser and is used to access a trusted network. 

Alegre discloses a system wherein a session key is established for accessing a 
trusted network from a browser. The session key is created the first time a user 
requests access to a resource on the trusted network. Subsequently, whenever the user 
access the trusted network during the session in which the session key is made, the 
session key is transmitted with the access request so that the trusted network can use 
the session key to authenticate the user. Furthermore, Hartman discloses a method and 
system for ordering an item from a client system. The client system is provided with an 
identifier (cookie) that identifies a customer and the server system uses the identifier 
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(cookie) to identify additional information needed to generate an order. The server 
system stores the received additional information in association with an identifier of the 
customer and provides the identifier to the client system. Furthermore, Blanco discloses 
a network access authentication system including a directory service containing a 
remote access password and a standard access password for each user of the network, 
using an authentication protocol that provides information on whether a user is 
accessing the network locally of remotely, and including a front-end between the 
directory service and the authentication protocol. 

6. Regarding Claims 1 , 7, 27 and 32, Applicant argues that the cited prior art fails to 
teach, "an object associated with the Session ID is stored dynamically in a directory on 
a directory server couple with the authorization server", "the directory server permits 
other computer applications launched by the computer user to reference the Session ID 
on the user's computer" and "the user is authenticated and authorized to the second 
separately-secured computer application by exchanging the stored security information 
between the directory server and the application server". These arguments are not 
found persuasive. 

Instant application discloses that Session ID may relate to the date or time that 
the user logged in, the media access control (MAC) address of the user's computer, the 
TCP/IP address of the user's computer, the user's name, an account code for the user, 
a combination of any of these criteria, or any other criteria. Alegre discloses an 
authentication server requesting a session key from a key server, which creates a 
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session key (Session ID) and storing the session key along with the user ID and PWD. 
Alegre further discloses storing cookies (small files used to store the session key placed 
on a user's computer by a server) and using such session key to request for other 
resources on network (see Alegre Column 4 lines 8 - 42; Column 5 lines 8 - 20; 
Column 6 lines 24 - 67 and Column 7 line 1 - Column 8 line 27). 

Hartman discloses generating a single-action order summary (shopping cart with 
user purchases information), which is saved on the server system (directory) along with 
the single-action ordering information that includes client (user) identifier (session ID) 
(Column 3 line 31 - Column 8 line 25). 

Blanco discloses a network access authentication system that gathers the data 
concerning the users, including authentication data, in a database of a directory, which 
uses Lightweight directory access protocol, which is specifically targeted at 
management applications, and browsing applications that provide interactive access to 
directories (Column 3 lines 22 - 67) 

7. Therefore, the examiner respectfully asserts that the cited prior art does teach or 
suggest the subject matter, "an object associated with the Session ID is stored 
dynamically in a directory on a directory server couple with the authorization server*', 
"the directory server permits other computer applications launched by the computer 
user to reference the Session ID on the user's computer" and "the user is authenticated 
and authorized to the second separately-secured computer application by exchanging 
the stored security information between the directory server and the application server" 
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broadly recited in the independent claims 1 , 7, 27 and 32. The dependent claims 2-12, 
21 - 26, 28 - 30 and 33 - 36 are rejected at least by virtue of their dependency on the 
dependent claims and by other reason set forth in this office action. Accordingly, the 
rejection for the pending claims 1-12 and 21 - 36 is respectfully maintained. 

Claim Rejections - 35 USC §112 

The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

Claims 1 - 6, 7 - 12 and 21 - 36 are rejected under 35 U.S.C. 112, first 
paragraph, as failing to comply with the written description requirement. The claim(s) 
contains subject matter which was not described in the specification in such a way as to 
reasonably convey to one skilled in the relevant art that the inventor(s), at the time the 
application was filed, had possession of the claimed invention. 

The independent Claims 1, 7, 27 and 32, read, " ...plurality of separately secured 
remote applications "... separately-secured computer applications "... first 
secured computer application second separately-secured computer 

application....", and Claims 27 and 32 further read "... storing a link ... retrieving the 
link; 
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With respect to " ...plurality of separately secured remote applications 
separately-secured computer applications first secured computer application 

"... second separately-secured computer application....", although the specification 
discloses the authorization servers (16) are coupled with user computers (12) and the 
application servers (14) via the communications network (22) and are provided for 
authenticating and authorizing the user computers, the specification does not disclose " 
...plurality of separately secured remote applications separately-secured 
computer applications "... first secured computer application "... second 
separately-secured computer application....". The specification does not indicate how " 
...plurality of separately secured remote applications separately-secured 
computer applications "... first secured computer application "... second 
separately-secured computer application.,.." are implemented to authenticate and 
authorize a computer user. Applicant amendment does not clarify " ...plurality of 
separately secured remote applications ...","... separately-secured computer 
applications ...", "... first secured computer application "... second separately- 
secured computer application...." and merely recites the claims 1 and 7 and 
summarizes claims 27 - 36. 

With respect to "... storing a link ... retrieving the link; ....", the specification does 
not indicate how to "... storing a link ... retrieving the link; are configured to 
authenticating and authorizing the user to a plurality of separately-secured computer 
applications anywhere in the specification. Applicant remarks/arguments do not 
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address "... storing a link ... retrieving the link; and merely summarizes claims 27 - 
36. 

The dependent claims 2 - 6, 8 - 12, 21 - 26, 28 - 31 and 33 - 36 are rejected at 
least by virtue of their dependency on the dependent claims. 



Claim Rejections - 35 USC § 102 

The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

Claims 1 - 4, 7 -10, 21, 24, 27, 29, 30, 32, 34 and 35 are rejected under 35 
U.S.C. 102(e) as being anticipated by Alegreet al. (U.S. Patent Number 6,199,1 13). 

Regarding Claim 1 , Alegre teaches and describes 

storing security information for a plurality of computer users in a user profile 
database (Column 4 lines 8 - 36); 

the user launching a first secured computer application on an application server 
(Column 4 lines 8 - 36); 

receiving at an authorization server coupled with the user profile database log- 
in information from the computer user who has launched a computer application 
(Column 4 lines 8 -40); 
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in response to step b, creating a Session ID for the computer user with the 
authorization server (Column 4 lines 8-40 and Column 6 lines 24 - 42); 

storing at least a portion of the Session ID on the user's computer (Column 4 
lines 8 - 42); 

also in response to step b, creating an object associated with the computer user 
or the Session ID (Column 4 lines 8-42 and Column 5 lines 8 - 20); 

storing the object dynamically in a directory stored in a directory server coupled 
with the authorization server and the application server (Column 5 line 48 - Column 6 
line 49); 

copying at least some of the security information relating to the computer user 
from the user profile database to the object in the directory (Column 6 lines 24 - 67); 

comparing the log-in information entered by the computer user to the security 
information for the computer .user and allowing the computer user access to the first 
secured computer application if the user is an authenticated or authorized user of the 
first secured computer application (Column 6 lines 24 - 49); and 

the user launching a second separately-secured computer application on an 
application server (Column 4 lines 48 - 67 and Column 8 lines 22 - 44); 

the second separately-secured computer application reading the Session ID on 
the user's computer (Column 6 lines 6 - 68); and 

the second separately-secured computer applications accessing the object for 
the computer user on the directory server in response to the Session ID to authenticate 
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or authorize the user for the second separately-secured computer applications (Column 
5 line 48 - Column 6 line 49). 

Regarding Claim 7, Alegre teaches and describes 

a user profile database for storing security information for a plurality of computer 
users (Column 4 lines 8 - 36); 

an authorization server coupled with the user profile database for receiving log-in 
information from a computer user who has launched a first secured computer 
application, for creating a Session ID for the computer user, for storing at least a portion 
of the Session ID on the user's computer and for creating an object associated with the 
computer user or the Session ID (Column 4 lines 8 - 42; Column 5 lines 8-20 and 
Column 6 lines 24 - 42); and 

a directory stored in a directory server coupled with the authorization server for 
dynamically storing the object created by the authorization server (Column 6 lines 24 - 
34), 

the authorization server being further operable for copying at least some of the 
security information relating to the computer user from the user profile database to the 
object in the directory, comparing log-in information entered by the computer user to the 
security information for the computer user and allowing the computer user access to the 
launched first secured computer application if the user is an authenticated or authorized 
user of the computer application (Column 5 line 48 - Column 6 line 49), 
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the directory server permitting other separately-secured computer applications 
launched by the computer user to reference the Session ID read by the separately- 
secured computer applications on the user's computer so that the other separately- 
secured computer applications may access the object for the computer user on the 
directory server to authenticate or authorize the user for the other separately-secured 
computer applications (Column 6 lines 6 - 67). 

Regarding Claim 27, Alegre teaches and describes 

the user remotely launching a first secured computer application from a user 
computer (Column 4 lines 8 - 36); 

authenticating and authorizing the user to the first secured computer application 
by exchanging security information between the user and an authorization server 
(Column 5 line 48 - Column 6 line 49); 

storing at least a portion of the security information in an object within a dynamic 
directory on a directory server (Column 5 line 48 - Column 6 line 49); 

storing a link to the object on the user computer (Column 4 lines 25 - 54); 

the user remotely launching a second separately-secured computer application 
on an application server (Column 4 lines 48 - 67 and Column 8 lines 22 - 44); 

retrieving the link (Column 4 lines 25 - 54); 

authenticating and authorizing the user to the second separately-secured 
computer application by exchanging the stored security information between the 
directory server and the application server (Column 5 line 48 - Column 6 line 49). 
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Regarding Claim 32, Alegre teaches and describes 

an authorization server for authenticating and authorizing the user to secured 
computer applications by exchanging security information between the user and the 
authorization server when a first secured computer application is launched by the user 
(Column 5 line 48 - Column 6 line 49); 

a directory server storing at least a portion of the security information in an object 
within a dynamic directory, wherein a link to the object is stored on the user computer; 
and 

an application server implementing a second separately-secured computer 
application for remote launching by the user, wherein the second separately-secured 
computer application retrieves the link, and wherein the user is authenticated and 
authorized to the second separately-secured computer application by exchanging the 
stored security information between the directory server and the application 
server(Column 5 line 48 - Column 6 line 67). 

Claims 2 and 8 are rejected as applied above in rejecting claims 1 and 7. 
Furthermore, Alegre teaches and describes the security information including 
authentication and authorization information (Column 4 lines 48 - 67 and Column 7 
lines 55 - Column 8 line 20). 
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Claims 4, 10, 29 and 34 are rejected as applied above in rejecting claims 1 and 
7. Furthermore, Alegre teaches and describes the Session ID being based on at least 
one of the following: a date on which the computer user launched the first secured 
computer application; a time in which the computer user launched the first secured 
computer application; a TCP/IP address of the computer user; and a user name of the 
computer user (Column 3 lines 1-11, Column 5 lines 8-36 and Column 6 lines 24 - 
68). 

Claims 3 and 9 are rejected as applied above in rejecting claims 2 and 8. 
Furthermore, Alegre teaches and describes the authentication and authorization 
information including at least one of the following: user names, user IDs, passwords, 
public-key data, certificates, and access control information (Column 5 line 8 - Column 
6 line 65). 

Claims 21 and 24 are rejected as applied above in rejecting claims 1 and 7. 
Furthermore, Alegre teaches and describes wherein the other computer applications 
access the object on the directory server using a dynamic directory service (Column 5 
line 48 - Column 6 line 49). 
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Claims 30 and 35 are rejected as applied above in rejecting claims 27 and 32. 
Furthermore, Alegre teaches and describes the steps of: 

one of the secured computer applications storing application data in the object; 
and the other one of the secured computer applications retrieving the application data 
according to the link (Column 4 lines 32 - 67). 



Claim Rejections - 35 USC § 103 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

Claims 5, 6, 11, 12, 31 and 36 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Alegre et al. (U.S. Patent Number 6,199,113, hereinafter "Alegre") in 
view of Hartman et al. (U.S. Patent Number 5,960,41 1 hereinafter "Hartman"). 

Claims 5, 11,31 and 36 are rejected as applied above in rejecting claims 1,7, 
30 and 35. Alegre does not explicitly disclose that the method for dynamically tracking a 
user session includes the steps of creating a shopping cart and storing the shopping 
cart along with the object in the directory. However, Hartman discloses a method for 
creating a shopping cart and storing the shopping cart along with a unique client 
identifier (cookie), purchaser-specific information (Hartman Column 3 line 31 - Column 
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6 line 21 ). Therefore it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to modify Hartman's shopping cart system into the 
dynamically tracking user session system of Alegre. 

Alegre could have been modified by Hartman to arrive the claimed invention by 
having the shopping cart with user purchase information to be saved on the directory as 
taught by Hartman (See Hartman Column 3 line 31 - Column 8 line 25) and as 
suggested by Alegre (See Alegre Column 7 line 3 - Column 8 line 53). One of ordinary 
skill in the art would have been motivated to modify Alegre by Hartman as discussed 
above because in a shopping cart systems user profiles are stored in a directory as 
taught by Hartman and employing the shopping cart within Alegre would provide an 
efficient and secure method for dynamically tracking a user session. 

Claims 6 and 12 are rejected as applied above in rejecting claims 5 and 1 1 . 
Furthermore, Alegre teaches and describes the steps of allowing the user to select 
items to be purchased and storing information relating to the selected items in the 
shopping cart (Hartman Column 3 line 46 - Column 4 line 26; Column 5 line 27 - 
Column 6 line 21 and Column 7 line 57 - Column 8 line 25). 

Claims 22, 23, 25, 26, 28 and 33 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Alegre et al. (U.S. Patent Number 6,199,113, hereafter "Alegre") in 
view of Blanco et al. (U.S. Patent Number 6,539,482, hereafter "Blanco"). 
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Claims 22, 25, 28 and 33 are rejected as applied above in rejecting claims 21 
and 24. Furthermore, Alegre teaches and describes wherein the other computer 
applications access the object on the directory server using a dynamic directory service 
(Column 5 line 48 - Column 6 line 49). Alegre does not explicitly disclose that the 
dynamic directory service comprises the lightweight directory access protocol (LDAP). 
However, Blanco discloses a network access authentication system that gathers the 
data concerning the users, including authentication data, in a data base of a directory, 
which uses Light weight directory access protocol which is specifically targeted at 
management applications and browsing applications that provide interactive access to 
directories (Blanco Column 3 lines 22 - 67). 

Motivation to combine Blanco with Alegre comes from the need to provide 
authentication and authorization of a user available to an authorization server coupled 
with a directory server that stores the authentication (user) data. Alegre provides a 
discussion of the need for security and authorization information for all the resources 
that a user can access but is silent as to the specific details of the LDAP, see Alegre 
Column 1 line 51 - Column 2 line 35 (especially Column 2 lines 24 - 35). It would have 
been obvious to one of ordinary skill in the art to combine Alegre with Blanco because 
LDAP provides the authentication data stored in the directory available to all the 
applications that are associated with a directory server and provides interactive access 
to directories. 
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Claims 23 and 26 are rejected as applied above in rejecting claims 21 and 24. 
Furthermore, Alegre teaches and describes wherein the other computer applications 
access the object on the directory server using a dynamic directory service (Column 5 
line 48 - Column 6 line 49). Alegre does not explicitly disclose that the dynamic 
directory service comprises the X.500 access protocol. However, Blanco discloses a 
network access authentication system that gathers the data concerning the users, 
including authentication data, in a data base of a directory, which uses Lightweight 
directory access protocol that supports X.500 access protocol (Blanco Column 3 lines 
22 - 67). 

Motivation to combine Blanco with Alegre comes from the need to provide 
authentication and authorization of a user available to an authorization server coupled 
with a directory server that stores the authentication (user) data. Alegre provides a 
discussion of the need for security and authorization information for all the resources 
that a user can access but is silent as to the specific details of the LDAP, see Alegre 
Column 1 line 51 - Column 2 line 35 (especially Column 2 lines 24 - 35). It would have 
been obvious to one of ordinary skill in the art to combine Alegre with Blanco because 
LDAP which supports X.500 access protocol, provides the authentication data stored in 
the directory available to all the applications that are associated with a directory server 
and provides interactive access to directories. 
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Conclusion 

THIS ACTION IS MADE FINAL, Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 . 1 36(a), 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Examiner's Note: Examiner has cited particular columns and line numbers in the 
references as applied to the claims above for the convenience of the applicant. 
Although the specified citations are representative of the teachings in the art and are 
applied to the specific limitations within the individual claim, other passages and figures 
may apply as well. It is respectfully requested from the applicant, in preparing the 
responses, to fully consider the references in entirety as potentially teaching all or part 
of the claimed invention, as well as the context of the passage as taught by the prior art 
or disclosed by the examiner. 
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Art Unit: 2136 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. See PTO Form 892. 

Applicant is urged to consider the references. However, the references should be 
evaluated by what they suggest to one versed in the art, rather than by their specific 
disclosure. If applicants are aware of any better prior art than those are cited, they are 
required to bring the prior art to the attention of the examiner. 

'Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Pramila Parthasarathy whose telephone number is 571- 
272-3866. The examiner can normally be reached on 8:00a.m. To 5:00p.m.. If attempts 
to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ayaz 
Sheikh can be reached on 571-232-3795. Any inquiry of a general nature or relating to 
the status of this application or proceeding should be directed to the receptionist whose 
telephone number is 703-305-3900. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR only. For more 
information about the PAIR system, contact the Electronic Business Center (EBC) at 
866-217-9197 (toll-free). r\ n 0 





Pramila Parthasarathy 
January 21, 2006. 




